<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge, chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<meta name="browsermode" content="application">
<meta name="apple-touch-fullscreen" content="yes">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-title" content="Axojhf的博客">
<meta name="apple-mobile-web-app-status-bar-style" content="default">
<meta name="msapplication-navbutton-color" content="#666666">
<meta name= "format-detection" content="telephone=no" />





  <meta name="keywords" content="Writeup, nlvi" />


<link rel="apple-touch-startup-image" media="(device-width: 375px)" href="assets/apple-launch-1125x2436.png">
<link rel="apple-touch-startup-image" media="(orientation: landscape)" href="assets/apple-touch-startup-image-2048x1496.png">

<link rel="stylesheet" href="/blog/style/style.css">

<script>
  var nlviconfig = {
    title: "Axojhf的博客",
    author: "Axojhf",
    baseUrl: "/blog/",
    theme: {
      scheme: "banderole",
      lightbox: true,
      animate: true,
      search: true,
      friends: false,
      reward: false,
      pjax: false,
      lazy: false,
      toc: true
    }
  }
</script>




    
<link rel="stylesheet" href="/blog/script/lib/lightbox/css/lightbox.min.css">





    
<link rel="stylesheet" href="/blog/syuanpi/syuanpi.min.css">
















<style>
@font-face {
  font-family: "Allura";
  src: url('/blog/font/allura/allura.ttf');
}
</style>

  <title> 我写出来的招新题的Writeup · Axojhf的博客 </title>
<meta name="generator" content="Hexo 4.2.1"></head>
<body>
  <div class="container">
    <header class="header" id="header">
  <div class="header-wrapper">
    <div class="logo">
  <div class="logo-inner syuanpi tvIn" style="display:none;">
    <h1><a href="/blog/">Axojhf的博客</a></h1>
    
  </div>
</div>

    <nav class="main-nav">
  
  <ul class="main-nav-list syuanpi tvIn">
  
    <li class="menu-item">
      <a href="javascript:;" id="search-btn" aria-label="Search">
        <i class="iconfont icon-search"></i>
      </a>
    </li>
  
  
  
    
  
    <li class="menu-item">
      <a href="/blog/" id="article">
        <span class="base-name">
          
            ARTICLE
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/archives" id="archives">
        <span class="base-name">
          
            ARCHIVES
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="javascript:;" id="tags">
        <span class="base-name">
          
            TAGS
          
        </span>
      </a>
    </li>
  
  
    
  
    <li class="menu-item">
      <a href="/blog/about" id="about">
        <span class="base-name">
          
            ABOUT
          
        </span>
      </a>
    </li>
  
  
  </ul>
  
</nav>

  </div>
</header>
<div class="mobile-header" id="mobile-header">
  <div class="mobile-header-nav">
    <div class="mobile-header-item" id="mobile-left">
      <div class="header-menu-item">
        <div class="header-menu-line"></div>
      </div>
    </div>
    <h1 class="mobile-header-title">
      <a href="/">Axojhf的博客</a>
    </h1>
    <div class="mobile-header-item"></div>
  </div>
  <div class="mobile-header-body">
    <ul class="mobile-header-list">
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-0">
          <a href="/blog/" >
            
              ARTICLE
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-1">
          <a href="/blog/archives" >
            
              ARCHIVES
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-2">
          <a href="javascript:;" id="mobile-tags">
            
              TAGS
            
          </a>
        </li>
      
        <li class="mobile-nav-item syuanpi fadeInRightShort back-3">
          <a href="/blog/about" >
            
              ABOUT
            
          </a>
        </li>
      
    </ul>
  </div>
</div>



    <div class="container-inner" style="display:none;">
      <main class="main" id="main">
        <div class="main-wrapper">
          
    
  
  <article class="
  post
   is_post 
  ">
    <header class="post-header">
      <div class="post-time syuanpi fadeInRightShort back-1">
        <div class="post-time-wrapper">
          
          <time>2020-06-01</time>
          
        </div>
      </div>
      <h2 class="post-title syuanpi fadeInRightShort back-2">
        
          我写出来的招新题的Writeup
        
      </h2>
    </header>
    <div class="post-content syuanpi fadeInRightShort back-3">
      
        <h1 id="Writeups"><a href="#Writeups" class="headerlink" title="Writeups"></a>Writeups</h1><h2 id="PE逆向-1-题目名不记得了"><a href="#PE逆向-1-题目名不记得了" class="headerlink" title="PE逆向 1(题目名不记得了)"></a>PE逆向 1(题目名不记得了)</h2><p>使用python的uncompyle工具转换pyc文件为py文件，其中的层次结构很明显，而且都是可逆的操作，所以只要将correct的字符串用base64编码然后对每一个字符i做（i-16)^32就可以得到答案</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#-*- coding: utf-8 -*-</span></span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line">s=<span class="string">'XlNkVmtUI1MgXWBZXCFeKY+AaXNt'</span></span><br><span class="line">a = base64.b64decode(s)</span><br><span class="line">ans = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> a:</span><br><span class="line">    x = (ord(i) - <span class="number">16</span>) ^ <span class="number">32</span></span><br><span class="line">    ans += chr(x)</span><br><span class="line"><span class="keyword">print</span> ans</span><br></pre></td></tr></table></figure>

<a id="more"></a>

<h2 id="PE逆向2（题目名也不记得了）"><a href="#PE逆向2（题目名也不记得了）" class="headerlink" title="PE逆向2（题目名也不记得了）"></a>PE逆向2（题目名也不记得了）</h2><p>先转换出.py文件，很明显有个输入<code>flag = raw_input(&#39;Input your Key:&#39;).strip()</code>之后有个长度检测<code>if len(flag) != 17:</code>，然后有一个逆转字符的操作<code>flag = flag[::-1]</code>，之后有一个索引表的内容的过程<code>ord(flag[i]) + pwda[i] &amp; 255 != lookup[(i + pwdb[i])</code>，这个不太麻烦，而且很明显是可逆的，所以：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">lookup = [<span class="number">196</span>, <span class="number">153</span>, <span class="number">149</span>, <span class="number">206</span>, <span class="number">17</span>, <span class="number">221</span>, <span class="number">10</span>, <span class="number">217</span>, <span class="number">167</span>, <span class="number">18</span>, <span class="number">36</span>, <span class="number">135</span>, <span class="number">103</span>, <span class="number">61</span>, <span class="number">111</span>, <span class="number">31</span>, <span class="number">92</span>, <span class="number">152</span>, <span class="number">21</span>, <span class="number">228</span>, <span class="number">105</span>, <span class="number">191</span>, <span class="number">173</span>, <span class="number">41</span>, <span class="number">2</span>, <span class="number">245</span>, <span class="number">23</span>, <span class="number">144</span>, <span class="number">1</span>, <span class="number">246</span>, <span class="number">89</span>, <span class="number">178</span>, <span class="number">182</span>, <span class="number">119</span>, <span class="number">38</span>, <span class="number">85</span>, <span class="number">48</span>, <span class="number">226</span>, <span class="number">165</span>, <span class="number">241</span>, <span class="number">166</span>, <span class="number">214</span>, <span class="number">71</span>, <span class="number">90</span>, <span class="number">151</span>, <span class="number">3</span>, <span class="number">109</span>, <span class="number">169</span>, <span class="number">150</span>, <span class="number">224</span>, <span class="number">69</span>, <span class="number">156</span>, <span class="number">158</span>, <span class="number">57</span>, <span class="number">181</span>, <span class="number">29</span>, <span class="number">200</span>, <span class="number">37</span>, <span class="number">51</span>, <span class="number">252</span>, <span class="number">227</span>, <span class="number">93</span>, <span class="number">65</span>, <span class="number">82</span>, <span class="number">66</span>, <span class="number">80</span>, <span class="number">170</span>, <span class="number">77</span>, <span class="number">49</span>, <span class="number">177</span>, <span class="number">81</span>, <span class="number">94</span>, <span class="number">202</span>, <span class="number">107</span>, <span class="number">25</span>, <span class="number">73</span>, <span class="number">148</span>, <span class="number">98</span>, <span class="number">129</span>, <span class="number">231</span>, <span class="number">212</span>, <span class="number">14</span>, <span class="number">84</span>, <span class="number">121</span>, <span class="number">174</span>, <span class="number">171</span>, <span class="number">64</span>, <span class="number">180</span>, <span class="number">233</span>, <span class="number">74</span>, <span class="number">140</span>, <span class="number">242</span>, <span class="number">75</span>, <span class="number">104</span>, <span class="number">253</span>, <span class="number">44</span>, <span class="number">39</span>, <span class="number">87</span>, <span class="number">86</span>, <span class="number">27</span>, <span class="number">68</span>, <span class="number">22</span>, <span class="number">55</span>, <span class="number">76</span>, <span class="number">35</span>, <span class="number">248</span>, <span class="number">96</span>, <span class="number">5</span>, <span class="number">56</span>, <span class="number">20</span>, <span class="number">161</span>, <span class="number">213</span>, <span class="number">238</span>, <span class="number">220</span>, <span class="number">72</span>, <span class="number">100</span>, <span class="number">247</span>, <span class="number">8</span>, <span class="number">63</span>, <span class="number">249</span>, <span class="number">145</span>, <span class="number">243</span>, <span class="number">155</span>, <span class="number">222</span>, <span class="number">122</span>, <span class="number">32</span>, <span class="number">43</span>, <span class="number">186</span>, <span class="number">0</span>, <span class="number">102</span>, <span class="number">216</span>, <span class="number">126</span>, <span class="number">15</span>, <span class="number">42</span>, <span class="number">115</span>, <span class="number">138</span>, <span class="number">240</span>, <span class="number">147</span>, <span class="number">229</span>, <span class="number">204</span>, <span class="number">117</span>, <span class="number">223</span>, <span class="number">141</span>, <span class="number">159</span>, <span class="number">131</span>, <span class="number">232</span>, <span class="number">124</span>, <span class="number">254</span>, <span class="number">60</span>, <span class="number">116</span>, <span class="number">46</span>, <span class="number">113</span>, <span class="number">79</span>, <span class="number">16</span>, <span class="number">128</span>, <span class="number">6</span>, <span class="number">251</span>, <span class="number">40</span>, <span class="number">205</span>, <span class="number">137</span>, <span class="number">199</span>, <span class="number">83</span>, <span class="number">54</span>, <span class="number">188</span>, <span class="number">19</span>, <span class="number">184</span>, <span class="number">201</span>, <span class="number">110</span>, <span class="number">255</span>, <span class="number">26</span>, <span class="number">91</span>, <span class="number">211</span>, <span class="number">132</span>, <span class="number">160</span>, <span class="number">168</span>, <span class="number">154</span>, <span class="number">185</span>, <span class="number">183</span>, <span class="number">244</span>, <span class="number">78</span>, <span class="number">33</span>, <span class="number">123</span>, <span class="number">28</span>, <span class="number">59</span>, <span class="number">12</span>, <span class="number">210</span>, <span class="number">218</span>, <span class="number">47</span>, <span class="number">163</span>, <span class="number">215</span>, <span class="number">209</span>, <span class="number">108</span>, <span class="number">235</span>, <span class="number">237</span>, <span class="number">118</span>, <span class="number">101</span>, <span class="number">24</span>, <span class="number">234</span>, <span class="number">106</span>, <span class="number">143</span>, <span class="number">88</span>, <span class="number">9</span>, <span class="number">136</span>, <span class="number">95</span>, <span class="number">30</span>, <span class="number">193</span>, <span class="number">176</span>, <span class="number">225</span>, <span class="number">198</span>, <span class="number">197</span>, <span class="number">194</span>, <span class="number">239</span>, <span class="number">134</span>, <span class="number">162</span>, <span class="number">192</span>, <span class="number">11</span>, <span class="number">70</span>, <span class="number">58</span>, <span class="number">187</span>, <span class="number">50</span>, <span class="number">67</span>, <span class="number">236</span>, <span class="number">230</span>, <span class="number">13</span>, <span class="number">99</span>, <span class="number">190</span>, <span class="number">208</span>, <span class="number">207</span>, <span class="number">7</span>, <span class="number">53</span>, <span class="number">219</span>, <span class="number">203</span>, <span class="number">62</span>, <span class="number">114</span>, <span class="number">127</span>, <span class="number">125</span>, <span class="number">164</span>, <span class="number">179</span>, <span class="number">175</span>, <span class="number">112</span>, <span class="number">172</span>, <span class="number">250</span>, <span class="number">133</span>, <span class="number">130</span>, <span class="number">52</span>, <span class="number">189</span>, <span class="number">97</span>, <span class="number">146</span>, <span class="number">34</span>, <span class="number">157</span>, <span class="number">120</span>, <span class="number">195</span>, <span class="number">45</span>, <span class="number">4</span>, <span class="number">142</span>, <span class="number">139</span>]</span><br><span class="line">pwda = [<span class="number">188</span>, <span class="number">155</span>, <span class="number">11</span>, <span class="number">58</span>, <span class="number">251</span>, <span class="number">208</span>, <span class="number">204</span>, <span class="number">202</span>, <span class="number">150</span>, <span class="number">120</span>, <span class="number">206</span>, <span class="number">237</span>, <span class="number">114</span>, <span class="number">92</span>, <span class="number">126</span>, <span class="number">6</span>, <span class="number">42</span>]</span><br><span class="line">pwdb = [<span class="number">53</span>, <span class="number">222</span>, <span class="number">230</span>, <span class="number">35</span>, <span class="number">67</span>, <span class="number">248</span>, <span class="number">226</span>, <span class="number">216</span>, <span class="number">17</span>, <span class="number">209</span>, <span class="number">32</span>, <span class="number">2</span>, <span class="number">181</span>, <span class="number">200</span>, <span class="number">171</span>, <span class="number">60</span>, <span class="number">108</span>]</span><br><span class="line">s=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">17</span>):</span><br><span class="line">    s += chr((lookup[(i + pwdb[i])]) - pwda[i] &amp; <span class="number">255</span>)</span><br><span class="line">print(s[::<span class="number">-1</span>])</span><br></pre></td></tr></table></figure>

<h2 id="PE逆向3-（Crackme）"><a href="#PE逆向3-（Crackme）" class="headerlink" title="PE逆向3 （Crackme）"></a>PE逆向3 （Crackme）</h2><p>首先用DIE查看一下程序信息：</p>
<p><img src="image-20200531172546249.png" alt="image-20200531172546249"></p>
<p>应该没壳，</p>
<p>用IDA反编译看了看<img src="image-20200531172800812.png" alt="image-20200531172800812"></p>
<p>（这里程序貌似是静态编译的sub_4011BA是打印用的函数），关键函数是<code>sub_401060</code>。</p>
<p>sub_401060函数的前部分有几个赋值语句<img src="image-20200531173108785.png" alt="image-20200531173108785"></p>
<p>实际上只有v5在后面用到了而且根据<code>dword_40708C</code>位置的数据来看这应该可能是一个字符串<img src="image-20200531173245476.png" alt="image-20200531173245476"></p>
<p>之后有个对输入字符串(后文简称a1)做异或处理部分<img src="image-20200531173518022.png" alt="image-20200531173518022"></p>
<p>然后是一个对v5字符串做“减5”操作的部分<img src="image-20200531173716462.png" alt="image-20200531173716462"></p>
<p>之后是一个循环<img src="image-20200531173805588.png" alt="image-20200531173805588"></p>
<p>这里只要v5，a1的每个元素满足<code>a1[v3] == v5[a3]</code>就可以返回1获得正确答案</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;string.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span> <span class="params">(<span class="keyword">void</span>)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	<span class="keyword">char</span> s[] = <span class="string">"\x68\x57\x19\x48\x50\x6E\x58\x78\x54\x6A\x19\x58\x5E\x06\x00"</span>;</span><br><span class="line">	<span class="comment">//char outs[] = "\x63\x52\x14\x43\x4b\x69\x53\x73\x4f\x65\x14\x53\x59\x1";</span></span><br><span class="line">	<span class="keyword">for</span> (<span class="keyword">int</span> i = <span class="number">0</span>; i &lt; <span class="built_in">strlen</span>(s); ++i)</span><br><span class="line">	&#123;</span><br><span class="line">		s[i] -= <span class="number">5</span>;</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">for</span> (<span class="keyword">int</span> i = <span class="number">0</span>; i &lt; <span class="built_in">strlen</span>(s); ++i)</span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"%c"</span>, s[i] ^ <span class="number">0x20</span>);</span><br><span class="line">	&#125;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<h2 id="杂项1（timg0）"><a href="#杂项1（timg0）" class="headerlink" title="杂项1（timg0）"></a>杂项1（timg0）</h2><p>查看图片的16进制代码，在文件结尾处可以看到有点像Base64的部分代码</p>
<p><img src="image-20200531174655247.png" alt="image-20200531174655247"></p>
<p>然后我拷贝了一部分<code>YdHRjdGZ7dEhpcy1pUy1uT3QtYXNJTXBsZS1waUN0VXJlfQ==</code>，使用base64解码后发现不太对，然后就把首字符<code>Y</code>去掉了，这下就正确了</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="comment">#YdHRjdGZ7dEhpcy1pUy1uT3QtYXNJTXBsZS1waUN0VXJlfQ==</span></span><br><span class="line">encodestr = base64.b64decode(<span class="string">'dHRjdGZ7dEhpcy1pUy1uT3QtYXNJTXBsZS1waUN0VXJlfQ=='</span>.encode(<span class="string">'utf-8'</span>))</span><br><span class="line">print(str(encodestr))</span><br></pre></td></tr></table></figure>

<h2 id="杂项2（base）"><a href="#杂项2（base）" class="headerlink" title="杂项2（base）"></a>杂项2（base）</h2><p>题目说了和base编码有关系，看初始的编码可能是base64，所以就用base64解码了，然后依次使用base32，base16解码，就得到答案了</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"></span><br><span class="line">a = base64.b64decode(<span class="string">'R1kzRE1RWldHRTNET04yQ0dZWkRNTUpYR00zREtNWldHTTJES1JSV0dJM0RDTlpUR1kyVEdNWlRHSTJVTU5SU0dZWVRPTVpXR1VaVENNWldHNUNBPT09PQ=='</span>)</span><br><span class="line">b = base64.b32decode(a)</span><br><span class="line">c = base64.b16decode(b)</span><br><span class="line">print(c)</span><br></pre></td></tr></table></figure>
      
    
    </div>
    
      <div class="post-tags syuanpi fadeInRightShort back-3">
      
        <a href="/blog/tags/Writeup/">Writeup</a>
      
      </div>
    
    
      

      
  <hr class="copy-line">
  <div class="post-copyright">
    <div class="copy-author">
      <span>作者 :</span>
      <span>Axojhf</span>
    </div>
    <div class="copy-url">
      <span>地址 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog/2020/06/01/14185/">http://xiaoaoaode.gitee.io/blog/2020/06/01/14185/</a>
    </div>
    <div class="copy-origin">
      <span>来源 :</span>
      <a href="http://xiaoaoaode.gitee.io/blog">http://xiaoaoaode.gitee.io/blog</a>
    </div>
    <div class="copy-license">
      
      著作权归作者所有，转载请联系作者获得授权。
    </div>
  </div>

    
  </article>
  
    
  <nav class="article-page">
    
      <a href="/blog/2020/06/02/471a08d2/" id="art-left" class="art-left">
        <span class="next-title">
          <i class="iconfont icon-left"></i>攻防世界--supermarket题Writeup
        </span>
      </a>
    
    
  </nav>


    
  <i id="com-switch" class="iconfont icon-down jumping-in long infinite" style="font-size:24px;display:block;text-align:center;transform:rotate(180deg);"></i>
  <div class="post-comments" id="post-comments" style="display: block;margin: auto 16px;">
    

    
    

    

  </div>



  
  
    
  
  <aside class="post-toc">
    <div class="title"><span>文章导航</span></div>
    <div class="toc-inner">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#Writeups"><span class="toc-text">Writeups</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#PE逆向-1-题目名不记得了"><span class="toc-text">PE逆向 1(题目名不记得了)</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PE逆向2（题目名也不记得了）"><span class="toc-text">PE逆向2（题目名也不记得了）</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PE逆向3-（Crackme）"><span class="toc-text">PE逆向3 （Crackme）</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#杂项1（timg0）"><span class="toc-text">杂项1（timg0）</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#杂项2（base）"><span class="toc-text">杂项2（base）</span></a></li></ol></li></ol>
    </div>
  </aside>



  


        </div>
      </main>
      <footer class="footer syuanpi fadeIn" id="footer">
  <hr>
  <div class="footer-wrapper">
    <div class="left">
      <div class="contact-icon">
  
  
</div>

    </div>
    <div class="right">
      <div class="copyright">
    <div class="info">
        <span>&copy;</span>
        <span>2020 ~ 2020</span>
        <span>❤</span>
        <span>Axojhf</span>
    </div>
    <div class="theme">
        <span>
            动力来源于
            <a href="http://hexo.io/" target="_blank" rel="noopener">Hexo </a>
        </span>
        <span>
            主题
            <a href="https://github.com/ColMugX/hexo-theme-Nlvi" target="_blank" rel="noopener"> Nlvi </a>
        </span>
    </div>
    
</div>

    </div>
  </div>
</footer>
    </div>
    <div class="tagcloud" id="tagcloud">
  <div class="tagcloud-taglist">
  
    <div class="tagcloud-tag">
      <button>Writeup</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>其他</button>
    </div>
  
    <div class="tagcloud-tag">
      <button>知识点记录</button>
    </div>
  
  </div>
  
    <div class="tagcloud-postlist active">
      <h2>Writeup</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/27/dd14f23d/">
            <time class="tagcloud-posttime">2020 / 07 / 27</time>
            <span>BUUCTF-Pwn题-Writeup（1）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/28/cfa15dd3/">
            <time class="tagcloud-posttime">2020 / 07 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（2）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/16/771d3ab6/">
            <time class="tagcloud-posttime">2020 / 08 / 16</time>
            <span>BUUCTF-Pwn题-Writeup（3）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/19/5276656a/">
            <time class="tagcloud-posttime">2020 / 08 / 19</time>
            <span>BUUCTF-Pwn题-Writeup（5）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/17/eaca020f/">
            <time class="tagcloud-posttime">2020 / 08 / 17</time>
            <span>BUUCTF-Pwn题-Writeup（4）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/21/f87fade1/">
            <time class="tagcloud-posttime">2020 / 09 / 21</time>
            <span>BUUCTF-Pwn题-Writeup（7）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/04/40c3ca84/">
            <time class="tagcloud-posttime">2020 / 09 / 04</time>
            <span>BUUCTF-Pwn题-Writeup（6）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/09/28/a01cbdb7/">
            <time class="tagcloud-posttime">2020 / 09 / 28</time>
            <span>BUUCTF-Pwn题-Writeup（8）</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/31/2253bdbe/">
            <time class="tagcloud-posttime">2020 / 08 / 31</time>
            <span>DASCTF2020八月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/26/253f1adb/">
            <time class="tagcloud-posttime">2020 / 07 / 26</time>
            <span>DASCTF七月赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/24/49582296/">
            <time class="tagcloud-posttime">2020 / 08 / 24</time>
            <span>CISCN2020初赛个人Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/01/14185/">
            <time class="tagcloud-posttime">2020 / 06 / 01</time>
            <span>我写出来的招新题的Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/45ae5a23/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“250”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/09/7b438d60/">
            <time class="tagcloud-posttime">2020 / 06 / 09</time>
            <span>攻防世界-babyheap题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/17/47cfb24f/">
            <time class="tagcloud-posttime">2020 / 06 / 17</time>
            <span>攻防世界-“Recho”题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/12/e563c85c/">
            <time class="tagcloud-posttime">2020 / 07 / 12</time>
            <span>攻防世界-magic题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/07/9b619749/">
            <time class="tagcloud-posttime">2020 / 10 / 07</time>
            <span>攻防世界-nobug题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/471a08d2/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界--supermarket题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/10/04/77eb8480/">
            <time class="tagcloud-posttime">2020 / 10 / 04</time>
            <span>攻防世界-onemanarmy题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/02/a54507f8/">
            <time class="tagcloud-posttime">2020 / 06 / 02</time>
            <span>攻防世界——dice_game题Writeup</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/06/10/928398a1/">
            <time class="tagcloud-posttime">2020 / 06 / 10</time>
            <span>攻防世界-"实时数据监测"题Writeup</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>其他</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/07/38a4c9bb/">
            <time class="tagcloud-posttime">2020 / 08 / 07</time>
            <span>Pwn环境的搭建和解答一些简单Pwn题的分享</span>
          </a>
        </div>
      
    </div>
  
    <div class="tagcloud-postlist ">
      <h2>知识点记录</h2>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/10/44355a63/">
            <time class="tagcloud-posttime">2020 / 08 / 10</time>
            <span>_IO_FILE结构与fread函数知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/08/01/8e1ab4ab/">
            <time class="tagcloud-posttime">2020 / 08 / 01</time>
            <span>Pwn题里有关seccomp和prctl函数的知识点小结</span>
          </a>
        </div>
      
        <div class="tagcloud-post">
          <a href="/blog/2020/07/19/5cfa9d84/">
            <time class="tagcloud-posttime">2020 / 07 / 19</time>
            <span>正则表达式学习1</span>
          </a>
        </div>
      
    </div>
  
</div>

  </div>
  <div class="backtop syuanpi melt toTop" id="backtop">
    <i class="iconfont icon-up"></i>
    <span style="text-align:center;font-family:Georgia;"><span style="font-family:Georgia;" id="scrollpercent">1</span>%</span>
</div>

  <div class="search" id="search">
    <div class="input">
      <input type="text" id="search-input" placeholder="搜索一下？" autofocus>
    </div>
    <div id="search-result"></div>
  </div>



<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>



  <script></script>
  <script src="/blog/script/lib/lightbox/js/lightbox.min.js" async></script>











  
<script src="/blog/script/scheme/banderole.js"></script>




<script src="/blog/script/bootstarp.js"></script>



<script>
if (nlviconfig.theme.toc) {
  setTimeout(function() {
    if (nlviconfig.theme.scheme === 'balance') {
      $("#header").addClass("show_toc");
    } else if (nlviconfig.theme.scheme === 'banderole') {
      $(".container-inner").addClass("has_toc");
      $(".post-toc .title").addClass("show");
      $(".toc-inner").addClass("show");
    }
  }, 1000);
}
</script>



</body>
</html>
